GAO: Secure Flight falls short in privacy, system security

The Homeland Security Department's Secure Flight program to screen airline passengers against terrorist watch lists is 'at serious risk' of being ineffective because its development has been rushed without properly defining what it should do, according to a new report from the Government Accountability Office released today.

'Without following a more rigorous and disciplined lifecycle process, including defining system requirements, the Secure Flight program is at serious risk of not meeting program goals,' GAO said.

Secure Flight also may fall short in protecting privacy and system security, GAO said.

The passenger screening program, which the Transportation Security Administration has been developing for about 18 months, is the latest in which passenger names are checked against lists of known and suspected terrorists. Congress criticized earlier versions, including the Computer-Assisted Passenger Pre-Screening program (Capps I and II) because of potential invasions of privacy.

Rather than following typical best practices for similar IT programs, TSA used a 'rapid development method' to create Secure Flight, intended to bring it into operation more quickly.

'However, as a result of this approach, the development process has been ad hoc,' GAO said. For example, the design phase was completed before system requirements were set.

GAO said it is advising TSA to define and document system requirements, including how the system is to work, what data it needs to operate, how it connects with other systems and how it stays secure. TSA also must make policy decisions on which data it will require air carriers to provide and which name-matching technologies it will use.

System security also may be at risk, the report stated: 'Without a completed system security program, Secure Flight may not be adequately protected against unauthorized access and use or disruption, once the program becomes operational.'

And privacy protections may be inadequate, GAO noted.

'Secure Flight's system development documentation does not fully explain how passenger privacy protections are to be met, and TSA has not issued the privacy notices that describe how it will protect data once Secure Flight becomes operational,' the GAO said. 'As a result, it is not possible to assess how TSA is addressing privacy concerns.'